General

  • Target

    b8d4df828329617507370def0687c4f7_JaffaCakes118

  • Size

    380KB

  • Sample

    240617-qmdfgaselg

  • MD5

    b8d4df828329617507370def0687c4f7

  • SHA1

    aaa0553b099e1922410546fc20a706a8b35105e3

  • SHA256

    f7e176e4c11cb65abd71661f0cb5a86be25671cc0d9aef401fc3944abd94432e

  • SHA512

    031402a347206d7f21c822e9daa70fd163688881a34bded71c11509f792017f25f1ac0ab8bd2fcac1610eca826f1dec187ffad1bc3936d2fae282c7c904df2f5

  • SSDEEP

    6144:r9ye34pytIcTiwOUANV+sZzYebci8OAQDmokHSQdE9VCaqtcCukuCt:k04pKiYQ+AYegi8OLqcQdElCukum

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    SMTP.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    GOOD123456

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    SMTP.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    GOOD123456

Targets

    • Target

      PO-98799.exe

    • Size

      432KB

    • MD5

      31ba58073b33dbad4418fc2006353694

    • SHA1

      d202681de59bffbe82ae541dc88585980bfdcf5d

    • SHA256

      e5591234e562907478a03882422de2e5ec87869f1388eaecfa6fb39bb0cc331e

    • SHA512

      f175dca7685e830955d08b424fe3b29ad54987cc941164bda45d9aa5e7c8589e01170721a54c58f2e8185d856bcdb526df99ff46938a41fc16ac42ed5ac4826f

    • SSDEEP

      6144:SNgQMvWDrccHgFJYOxixi2K1pNS0WTEhjLT5S1tqJtfdoT763BvTRG7brk:SNXgDeiHTS0omP9S1YNoT+li

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks